Your message dated Sat, 16 Nov 2019 10:08:47 +0000
with message-id
<83c9ffab6f08361485f70dda4733a7a24aeec09b.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 10.2 point release fixes
has caused the Debian Bug report #944119,
regarding buster-pu: package modsecurity-crs/3.1.0-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
944119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944119
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Hi,
This [1] security bug was found in modsecurity-crs.
After contacting the security team, they said a DSA was not necessary
and that I should proceed through p-u.
So here's the debdiff. Hope it's all OK.
I'll wait for your instructions before uploading.
Cheers,
Alberto
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943773
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru modsecurity-crs-3.1.0/debian/changelog
modsecurity-crs-3.1.0/debian/changelog
--- modsecurity-crs-3.1.0/debian/changelog 2019-11-03 14:34:05.000000000
+0100
+++ modsecurity-crs-3.1.0/debian/changelog 2018-11-27 09:12:54.000000000
+0100
@@ -1,10 +1,3 @@
-modsecurity-crs (3.1.0-1+deb10u1) buster; urgency=medium
-
- * Add upstream patch to fix php script upload rules.
- CVE-2019-13464 (Closes: #943773)
-
- -- Alberto Gonzalez Iniesta <[email protected]> Sun, 03 Nov 2019 14:34:05
+0100
-
modsecurity-crs (3.1.0-1) unstable; urgency=medium
* New upstream release.
diff -Nru modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch
modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch
--- modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch 2019-11-03
14:30:47.000000000 +0100
+++ modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch 1970-01-01
01:00:00.000000000 +0100
@@ -1,102 +0,0 @@
-From 6090d6b0a90417f1a60aa68a01eb777cef2e1184 Mon Sep 17 00:00:00 2001
-From: "Federico G. Schwindt" <[email protected]>
-Date: Sat, 4 May 2019 11:03:52 +0100
-Subject: [PATCH] Also handle dot variant of X_Filename
-
-PHP will transform dots to underscore in variable names since dot is
-invalid.
----
- rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf | 4 +-
- .../933110.yaml | 60 +++++++++++++++++++
- 2 files changed, 62 insertions(+), 2 deletions(-)
-
-Index: modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
-===================================================================
---- modsecurity-crs.orig/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
2019-11-03 14:30:34.410293645 +0100
-+++ modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
2019-11-03 14:30:34.406293506 +0100
-@@ -86,7 +86,7 @@
- # X_Filename, or X-File-Name to transmit the file name to the server;
- # scan these request headers as well as multipart/form-data file names.
- #
--SecRule
FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name
"@rx .*\.(?:php\d*|phtml)\.*$" \
-+SecRule
FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name
"@rx .*\.(?:php\d*|phtml)\.*$" \
- "id:933110,\
- phase:2,\
- block,\
-@@ -601,7 +601,7 @@
- #
- # This rule is a stricter sibling of rule 933110.
- #
--SecRule
FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name
"@rx .*\.(?:php\d*|phtml)\..*$" \
-+SecRule
FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name
"@rx .*\.(?:php\d*|phtml)\..*$" \
- "id:933111,\
- phase:2,\
- block,\
-Index:
modsecurity-crs/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml
-===================================================================
----
modsecurity-crs.orig/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml
2019-11-03 14:30:34.410293645 +0100
-+++
modsecurity-crs/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml
2019-11-03 14:30:34.406293506 +0100
-@@ -288,3 +288,63 @@
- uri: /
- output:
- no_log_contains: id "933110"
-+ -
-+ test_title: 933110-20
-+ desc: PHP script uploads
-+ stages:
-+ - stage:
-+ input:
-+ dest_addr: 127.0.0.1
-+ headers:
-+ Host: localhost
-+ User-Agent: ModSecurity CRS 3 Tests
-+ X.Filename: a.php
-+ port: 80
-+ uri: /upload2
-+ output:
-+ log_contains: id "933110"
-+ -
-+ test_title: 933110-21
-+ desc: PHP script uploads
-+ stages:
-+ - stage:
-+ input:
-+ dest_addr: 127.0.0.1
-+ headers:
-+ Host: localhost
-+ User-Agent: ModSecurity CRS 3 Tests
-+ X.Filename: fda.php5...
-+ port: 80
-+ uri: /upload6
-+ output:
-+ log_contains: id "933110"
-+ -
-+ test_title: 933110-22
-+ desc: PHP script uploads
-+ stages:
-+ - stage:
-+ input:
-+ dest_addr: 127.0.0.1
-+ headers:
-+ Host: localhost
-+ User-Agent: ModSecurity CRS 3 Tests
-+ X.Filename: fthisfewfda.php.
-+ port: 80
-+ uri: /upload7
-+ output:
-+ log_contains: id "933110"
-+ -
-+ test_title: 933110-23
-+ desc: PHP script uploads
-+ stages:
-+ - stage:
-+ input:
-+ dest_addr: 127.0.0.1
-+ headers:
-+ Host: localhost
-+ User-Agent: ModSecurity CRS 3 Tests
-+ X.Filename: fthi/sfewfda.phtml987...
-+ port: 80
-+ uri: /
-+ output:
-+ no_log_contains: id "933110"
diff -Nru modsecurity-crs-3.1.0/debian/patches/series
modsecurity-crs-3.1.0/debian/patches/series
--- modsecurity-crs-3.1.0/debian/patches/series 2019-11-03 14:30:28.000000000
+0100
+++ modsecurity-crs-3.1.0/debian/patches/series 2016-11-14 19:38:28.000000000
+0100
@@ -1,2 +1 @@
fix_paths
-CVE-2019-13464.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.2
Hi,
The fixes referenced by these bugs were included in today's 10.2 stable
point release.
Regards,
Adam
--- End Message ---
